HyperBro is a custom in-memory backdoor used by Threat Group-3390.[1][2][3]

ID: S0398
Platforms: Windows
Version: 1.2
Created: 09 July 2019
Last Modified: 29 November 2021

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

HyperBro has used HTTPS for C2 communications.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

HyperBro can unpack and decrypt its payload prior to execution.[4][5]

Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

HyperBro has used a legitimate application to sideload a DLL to decrypt, decompress, and run a payload.[1][5]

Enterprise T1070 .004 Indicator Removal: File Deletion

HyperBro has the ability to delete a specified file.[1]

Enterprise T1105 Ingress Tool Transfer

HyperBro has the ability to download additional files.[1]

Enterprise T1106 Native API

HyperBro has the ability to run an application (CreateProcessW) or script/file (ShellExecuteW) via API.[1]

Enterprise T1027 Obfuscated Files or Information

HyperBro can be delivered encrypted to a compromised host.[4]

.002 Software Packing

HyperBro has the ability to pack its payload.[5]

Enterprise T1055 Process Injection

HyperBro can run shellcode it injects into a newly created process.[1]

Enterprise T1113 Screen Capture

HyperBro has the ability to take screenshots.[1]

Enterprise T1007 System Service Discovery

HyperBro can list all services and their configurations.[1]

Enterprise T1569 .002 System Services: Service Execution

HyperBro has the ability to start and stop a specified service.[1]

Groups That Use This Software

ID Name References
G0027 Threat Group-3390